exploit-intel blog

Security research, vulnerability analysis, and platform updates from the Exploit Intelligence Platform team. Deep dives into exploit trends, CVE intelligence, and the tools we build for the security community.

CVE-2026-41702: Forty-Seven Microseconds in /var/run/vmware/cnx-tmp

A TOCTOU race in VMware Fusion 25's vmx-apple binary that turns booting a VM into arbitrary chown, then arbitrary chown into a passwordless root shell via PAM injection. World-writable sticky directory, SUID-root callee, bind() and chown() both following symlinks, a 5-15 microsecond window between them. Full LPE chain in 40 seconds, single VM boot. The interesting part is what made it reliable.

cve-2026-41702vmware-fusionmacostoctourace-conditionlpeprivilege-escalationsuidsymlinkkqueuecwe-367cwe-59exploit-developmentsecurity-research

CVE-2026-41702: Forty-Seven Microseconds in /var/run/vmware/cnx-tmp

May 13, 2026 · 20 min read · EIP Team

Hermes Agent with EIP Harness: The Vulnerability Research Assistant That Also Runs Your Pipelines

Hermes Agent with the EIP Harness: a conversational AI vulnerability research assistant that runs full CVE pipelines while you stay in the loop. Built on Nous Research's Hermes. Showcase: a GitLab runner-token leak chained to RCE (CVE-2022-0735), a neatvnc pre-auth stack overflow (CVE-2026-42859), and a KEV-listed Everest Forms PHP Object Injection (CVE-2026-3296), all end to end. Our first public release of EIP CVE pipeline craft, plus win11-forge for Windows kernel and usermode lab orchestration.

hermeseip-harnessnous-researchai-agentsagent-orchestrationself-improving-agentsvulnerability-research-assistantmcpexploit-developmentsecurity-researchcve-pipelinecve-2022-0735cve-2026-42859cve-2026-3296gitlabneatvncwordpresseverest-formswin11-forgevulnerability-intelligencehoncho

May 1, 2026 · 16 min read · EIP Team

CVE-2026-41940: cPanel & WHM Pre-Auth RCE - Two Write Paths, One Filter

CVE-2026-41940: a CRLF session-injection in cPanel & WHM that turns six unauthenticated HTTP requests into root SSH. Source-level walkthrough and audit.

cve-2026-41940cpanelwhmpre-auth-rceauth-bypasscrlf-injectionsession-injectionrcewatchtowrexploit-analysissecurity-research

Apr 29, 2026 · 10 min read · EIP Team

EIP STIX 2.1 / TAXII 2.1 Feed: Exploit Intelligence for Your Stack

EIP now exports CVE and exploit context as STIX 2.1 and serves a native TAXII 2.1 feed for SIEMs, TIPs, OpenCTI, Splunk ES, and Python pipelines.

stixtaxiictithreat-intelligencevulnerability-intelligenceexploit-intelligencesiemsentinelopenctisplunkannouncement

Apr 3, 2026 · 22 min read · EIP Team

CVE-2026-35414: Three Bugs, One Commit, and Two More Nobody Mentioned

CVE-2026-35414 is a certificate principal matching bypass in OpenSSH before 10.3. The advisory says one bug. We found three - a comma-splitting misuse, an empty-principals wildcard, and a reversed match_pattern call - all hiding in the same commit. Two are independently exploitable for authentication bypass. We built working PoCs for both, then kept reading and found two more undocumented issues: a PermitListen bypass via Unix socket forwarding and a KRL revocation gap for serial-zero certificates.

opensshcve-2026-35414certificateauthentication-bypasssource-auditsecurity-researchssh

Mar 29, 2026 · 18 min read · EIP Team

WP Google Map Plugin - Three Weak Links, One Critical Chain

Line 781 says $query_to_run is safe. It isn't. An autonomous pipeline found a CVSS 9.8 unauthenticated SQL injection in WP Google Map Plugin v4.9.1 -- a three-link chain of individually harmless components that, together, give any visitor full database access. Then we kept reading and found the plugin deserializes update-check responses from an external server with maybe_unserialize(). 200,000+ active installs. 35 minutes. $8.97.

cve-2026-2580wp-google-map-pluginwpforgesql-injectioncwe-89wordpressaisecurity-researchajaxtime-based-blind-sqliunauthenticatedsupply-chaindeserialization

Archive

Mar 16 CVE-2026-24289: Windows Kernel IOCP Race Condition - The Ghost We Proved by Salting the Circle 22 min Mar 16 CVE-2026-3910: The Type the Compiler Promised -- A V8 JIT Story in Seven Acts 22 min Mar 16 Six AI Agents, One Security Company: The Paperclip AI Experiment 18 min Mar 13 CVE-2026-4105: systemd-machined Privilege Escalation - 72 Minutes from Drop to Bypass 20 min Mar 9 CVE-2026-28391: OpenClaw Command Injection - The Day I Hacked Myself 14 min Mar 8 Introducing FuzzForge: Autonomous Source-Code Fuzzing - Finding Bugs in nginx in 112 Minutes 16 min Mar 4 CVE-2025-68670 Part 2: From Crash to RCE - The One That Fought Back (and Lost) 28 min Mar 4 CVE-2025-68670: Pre-Auth xrdp Overflow - The One Where the Protocol Fought Back 22 min Mar 3 CVE-2025-62507: Redis Stack Overflow to RCE in 68 Minutes - Then We Turned ASLR On 22 min Mar 3 CVE-2025-15467: From OpenSSL Stack Overflow to Three ROP Chains in 64 Minutes - Introducing Stackforge 18 min Mar 1 CVE-2025-26866: From Undocumented Binary Protocol to Root Shell - AI Agent Meets Java Deserialization 26 min Feb 28 72 Hours, 24 CVE Proof of Concept Exploits, and 8 Disclosure Submissions: The CVEForge Stress Test 14 min Feb 27 Foreman Command Injection and Telnetd Privilege Escalation - A Dropdown, a Blacklist, and Two Very Different Fixes 12 min Feb 27 CVE-2025-60355 (OneBlog): CVEForge Finds 3 Bypass/Incomplete Fixes in 5 CVE Runs 11 min Feb 26 Zero to RCE: Autonomous Exploit Development Across Three Vulnerability Classes 9 min Feb 25 CVE-2025-53833: Autonomous PoC Generation with CVEForge - From CVE Number to Root Shell in 32 Minutes 12 min Feb 24 CVE-2026-28296: From CRLF Injection PoC to Fix Bypass - One Prompt, One AI Agent 10 min Feb 22 Teaching an AI to Talk Exploits - Building a RAG Chatbot Over 370K CVEs 11 min Feb 20 Introducing the EIP MCP Server - Vulnerability Intelligence for AI Assistants 8 min Feb 18 eip-search - A Modern searchsploit for the Age of Exploit Intelligence 10 min Feb 15 Anatomy of a Trojan Exploit - How We Detect Backdoored PoCs with AI 12 min Feb 10 Building an Exploit Intelligence Platform from Scratch 12 min